Fixed Intel
HIGH THREAT ALERT
Aggregated Intel
High
Industry NewsImpact: 72/10

Cisco Patches Multiple Vulnerabilities in IOS Software

The high- and medium-severity flaws could lead to denial-of-service, secure boot bypass, information disclosure, and privilege escalation.

FIFixed Intel Team||2 min read|3 Views
Cisco Patches Multiple Vulnerabilities in IOS Software

AI-Generated Summary

Cisco released patches for twelve high- and medium-severity vulnerabilities in IOS and IOS XE software as part of its semiannual security advisory bundle. Four publicly disclosed medium-severity flaws affecting Cisco Catalyst 9300 Series switches can be chained to escalate privileges and cause persistent denial-of-service conditions requiring physical intervention. Additional vulnerabilities include secure boot bypass, XSS attacks, CRLF log injection, information disclosure, and multiple DoS conditions.

Affected Sectors

TelecommunicationsInformation TechnologyFinancial ServicesGovernmentCritical InfrastructureHealthcareEnergy

Frameworks

NCA-ECCISO27001NIST CSFIEC 62443CIS ControlsNIST SP 800-53

Aggregated from SecurityWeek

This article was automatically aggregated from an external source. Content may be summarized.

Read Original

Full Analysis

Cisco on Wednesday announced patches for a dozen high- and medium-severity vulnerabilities in IOS and IOS XE, most of which could be exploited to cause denial-of-service (DoS) conditions.

The patches were rolled out as part of Cisco’s semiannual IOS and IOS XE security advisory bundle. While none of the bugs appear to have been exploited in the wild, technical information on four of them has been published.

The publicly disclosed issues, tracked as CVE-2026-20110, CVE-2026-20112, CVE-2026-20113, and CVE-2026-20114, are medium-severity defects affecting Cisco Catalyst 9300 Series switches.

According to OPSWAT, which discovered and reported the security defects, attackers could chain two of these flaws, CVE-2026-20114 and CVE-2026-20110, to escalate privileges and cause a persistent DoS condition that may require manual intervention to resolve.

Impacting the Lobby Ambassador web-based management API, CVE-2026-20114 exists because parameters are not sufficiently validated, allowing attackers logged in as a Lobby Ambassador to create a new user privilege level 1 access to the API and access the device.

CVE-2026-20110 impacts the management CLI of the vulnerable devices and “exists because incorrect privileges are associated with the start maintenance command.” This allows an attacker to place the device in maintenance mode.

Advertisement. Scroll to continue reading.

“By chaining the initial privilege escalation with the subsequent command injection, the maintenance operation could be triggered – resulting in a persistent Denial-of-Service condition. In validated scenarios, restoring normal functionality required physical access to the device, significantly amplifying operational impact,” OPSWAT notes.

The other two security defects could be exploited to mount XSS attacks (CVE-2026-20112) or to inject logs via CRLF manipulation (CVE-2026-20113)

Cisco’s fresh round of IOS and IOS XE updates resolved six high-severity vulnerabilities, five of which could lead to DoS conditions. The sixth could allow attackers to bypass secure boot.

The flaws exist because specific packets are not properly handled, user input is not properly validated, memory resources are not properly managed, or software is not sufficiently validated at boot time.

The remaining two medium-severity issues resolved in IOS and IOS XE could lead to information disclosure and DoS conditions.

Additional information can be found on Cisco’s security advisories page.

Related: Cisco Firewall Vulnerability Exploited as Zero-Day in Interlock Ransomware Attacks

Related: Cisco Patches High-Severity IOS XR Vulnerabilities

Related: Recent Cisco Catalyst SD-WAN Vulnerability Now Widely Exploited

Related: Cisco Patches Critical Vulnerabilities in Enterprise Networking Products

Originally published by SecurityWeek

Original Source

SecurityWeek